Skip to content
Permalink
Browse files

Fix #7820: Heap use after free when removing oil rig

  • Loading branch information...
JGRennison authored and michicc committed Nov 2, 2019
1 parent 460f73c commit 2be619ea88837c6293129841511816c105b507a3
Showing with 7 additions and 1 deletion.
  1. +3 −1 src/industry_cmd.cpp
  2. +4 −0 src/station_cmd.cpp
@@ -146,6 +146,8 @@ Industry::~Industry()
* Also we must not decrement industry counts in that case. */
if (this->location.w == 0) return;

const bool has_neutral_station = this->neutral_station != nullptr;

TILE_AREA_LOOP(tile_cur, this->location) {
if (IsTileType(tile_cur, MP_INDUSTRY)) {
if (GetIndustryIndex(tile_cur) == this->index) {
@@ -159,7 +161,7 @@ Industry::~Industry()
}
}

if (this->neutral_station != nullptr) {
if (has_neutral_station) {
/* Remove possible docking tiles */
TILE_AREA_LOOP(tile_cur, this->location) {
ClearDockingTilesCheckingNeighbours(tile_cur);
@@ -4172,6 +4172,10 @@ void DeleteOilRig(TileIndex tile)

/* The oil rig station is not supposed to be shared with anything else */
assert(st->facilities == (FACIL_AIRPORT | FACIL_DOCK) && st->airport.type == AT_OILRIG);
if (st->industry != nullptr && st->industry->neutral_station == st) {
/* Don't leave dangling neutral station pointer */
st->industry->neutral_station = nullptr;
}
delete st;
}

0 comments on commit 2be619e

Please sign in to comment.
You can’t perform that action at this time.